Cartographer Web Challenge — HackTheBox

After the completion of 2 web challenges successfully it’s time to move onto the Cartographer.

This challenge is all about hacking into C&C Server.

On opening the IP/DOMAIN:PORT we have the login panel to log into the portal. No common username and passwords work here as i tried admin:admin etc and other combinations while not bruteforcing the panel.

I always try to bypass the login panels using SQL Injection Queries and it worked fine here. I was logged into the panel.

Notice the URL and “info=” parameter. What are we looking for? the flag? Right!. That’s all.

This challenge was way more easy. The issue which arise here is that pentesters/hackers think way more out of the box and they keep on trying the combinations like “home, author, admin, blog, contact” etc etc. It wastes a lot of the time. This challenge was pretty simple while you don’t have to think outside the box.

Thank you for reading!